Tech Giants Brace for Europe’s New Data Privacy Rules

Over the past two months, Google has started letting people around the world choose what data they want to share with its various products, including Gmail and Google Docs.

Amazon recently began improving the data encryption on its cloud storage service and simplified an agreement with customers over how it processes their information.

And on Sunday, Facebook rolled out new universal data privacy center — a single page that permits users to organize who sees their posts and what kinds of ads they are served.

While these changes are rippling out worldwide, a major reason for these shifts comes from Europe: The tech giants are preparing for a stringent new set of data privacy rules in the region, called the General Data Protection Regulation.

Set to take effect on May 25, the regulations restrict what kinds of personal data the tech companies can collect, store and use across the 28-member European Union. Among their provisions, the rules enshrine the so-called right to be forgotten into European law so people can ask companies to remove convinced online data about them. The rules also need anyone under 16 to obtain parental consent before utilizing popular digital services. If companies do not comply, they could face fines totaling 4 % of their annual revenue.

With the deadline for the new rules now just a few months away, Silicon Valley’s tech behemoths have been crawling to get ready. Facebook and Google have deployed hundreds of people to make sense of the regulations. Many of the companies have overhauled how they provide user’s access to their own privacy settings. Some have redesigned certain products that suck up too much user data. And in some cases, companies have deleted products entirely from the European market because they would violate the new privacy rules.

“Every person who works for us has, in some way, been involved in preparing the company for G.D.P.R.,” said Doug Kramer, general counsel of CloudFlare, an internet performance and security company based in San Francisco that has tightened its data storage and processing practices. “G.D.P.R. is going to introduce very fundamental changes to the way the internet works for anyone.”

The rush of activity is a reminder of how Europe has set the regulatory standard in reining in the immense power of tech giants, while other places — including the United States — have largely taken a noninterventionist stance. The G.D.P.R. rules were approved in late 2015 after tech companies like Facebook ran into issues over data protection with national privacy watchdogs in different European countries.

European officials said the arriving rules are forcing American tech giants to take a step back.

“There has not been any pushback from American companies,” said Věra Jourová, the European Commissioner for Justice, Consumers and Gender Equality. “If anything, they seem very eager to understand how exactly they can comply with the regulation.”

Officials from Facebook, Google and other companies said in interviews that they had been working to give people more control over what data they share anyway. In the past, many of the companies fought back in European courts over privacy rules and declined to offer certain products in the region rather than redesign them to meet privacy standards.

The arriving of the new rules has nonetheless pushed a big scale of internal change, Gilad Golan, Google’s director for security and data protection, said at a San Francisco event last month to introduce new security features. “When G.D.P.R. goes into effect in 2018, we will be ready,” he said.

The largest challenge, he said, has been preparing for the regulation’s mandate that people in Europe must have control over how their digital data is organized. Google, he said, has had to go through each of its services — from Gmail to its Cloud storage services — to comply. Since the new rules need personals to give their consent before a company accesses data, for example, Google has had to redesign many consent agreements, as well as change underlying technology to make it simpler to remove someone’s data.

“For a company with infrastructure of our size, it takes a lot of work,” Mr. Golan said.

Facebook has also taken multiple steps to deal with the appearing rules. On Sunday, the company started offering a new privacy center that puts user security settings on one page instead of dispersing them across various sections of the social network. While the company said the changes was separate from its preparations for the new European regulations, Facebook’s chief operating officer, Sheryl Sandberg, connected the two in a speech in Brussels last week.

The new privacy center would give Facebook a “very good foundation to meet all the requirements of the G.D.P.R. and to spur us on to continue investing in products and in educational tools to protect privacy,” Ms. Sandberg said.

Rob Sherman, Facebook’s deputy chief privacy officer, said the social network has also held a series of “Design Jams” where it invites designers and engineers to re-imagine how products look so that people can more simply see and control their online data.

With the new rules coming, Facebook also decided not to roll out some items in Europe that would violate the privacy laws.

Last November, for instance, the company unveiled a program that uses artificial intelligence to monitor Facebook users for signs of self-harm. But it did not open the program to users in Europe, where the company would have had to ask people for permission to access sensitive health data, including about their mental state. The social network has also kept out of Europe facial recognition software that tracks when images of users are posted across the platform.

Amazon, too, has made changes. Last April, the company wrote a blog postoutlining its efforts to satisfy with the new European regulations. The internet retailer said it would strengthen the encryption around the data it stores on its cloud storage services, and reaffirmed the rights of clients to choose which region — Europe or otherwise — where they want their data stored. Amazon declined to discuss the work.

Some American tech companies said they welcomed the new data protection rules.

“We embrace G.D.P.R. because it sets a strong standard for privacy and data protection rights, which is at the core of our business,” Julie Brill, a corporate vice president and deputy general counsel at Microsoft, said in an interview. “We started work on G.D.P.R. as soon as it was adopted by the European Union. Our preparations for G.D.P.R. touch every component of our company.”

How the largest tech companies handle the regulations will most likely influence their smaller counterparts. Angelo Spenillo, general counsel for Siteimprove, which assist companies manage their presence online, said many little tech companies have been seeing toward Google and Facebook for how user privacy and data will be managed online.

“Where the bigger companies go, the smaller companies will follow suit,” he said. “We’re going to look real changes across the board.”

Ms. Jourová said as the new rules take effect, countries outside Europe could begin demanding similar data protection measures for their citizens.

“There will be a moment, especially as more and more people in the U.S. find themselves uncomfortable with the channels monitoring their private lives,” she said.